Targeting A Directory Entry - Netscape DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator's Manual

the result would be to allow all values of the target attribute. The first ACL (
will allow and the second ACL (
b
will be the same as the one resulting from using an ACL of the form:
acl3: ( targetattr="*" ) allow (...) ...
Notice that nothing is denied. This could give rise to security problems.
When you want to deny access to a particular attribute, use
clause rather than using
usages such as these are recommended:
acl1: ( target=...)( targetattr=a )(version 3.0; acl "name";deny
(...)..
acl2: ( target=...)( targetattr=b )(version 3.0; acl "name";deny
(...)..

Targeting a Directory Entry

To target a directory entry (and the entries below it), you must use the
keyword.
The keyword can accept a value of the following format:
target
target="ldap:///distinguished_name"
This identifies the distinguished name of the entry to which the access control rule
applies. For example:
(target = "ldap:///uid=bjensen,dc=example,dc=com")
If the DN of the entry to which the access control rule applies
NOTE
contains a comma, you must escape the comma with a single
backslash (\). For example:
(target="ldap:///uid=lfuentes,dc=example.com
Bolivia\,S.A.")
You can also use a wildcard when targeting a distinguished name using the
keyword. The wildcard indicates that any character or string or substring is a
match for the wildcard. Pattern matching is based on any other strings that have
been specified with the wildcard.
The following are legal examples of wildcard usage:
) will allow
acl2
with
allow ( targetattr != value )
Creating ACIs Manually
. The result of these two ACLs
a
in the permissions
deny
. For example,
Chapter 6 Managing Access Control
)
acl1
target
target
201